puppet 6.21.1-x86-mingw32 → 6.25.0-x86-mingw32

data/spec/unit/util/selinux_spec.rb

@@ -3,26 +3,29 @@ require 'spec_helper'
 require 'pathname'
 require 'puppet/util/selinux'
 
-unless defined?(Selinux)
-  module Selinux
-    def self.is_selinux_enabled
-      false
-    end
-  end
-end
-
 describe Puppet::Util::SELinux do
   include Puppet::Util::SELinux
 
+  let(:selinux) { double('selinux', is_selinux_enabled: false) }
+
+  before :each do
+    stub_const('Selinux', selinux)
+  end
+
   describe "selinux_support?" do
-    it "should return :true if this system has SELinux enabled" do
+    it "should return true if this system has SELinux enabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(1)
-      expect(selinux_support?).to be_truthy
+      expect(selinux_support?).to eq(true)
     end
 
-    it "should return :false if this system lacks SELinux" do
+    it "should return false if this system has SELinux disabled" do
       expect(Selinux).to receive(:is_selinux_enabled).and_return(0)
-      expect(selinux_support?).to be_falsey
+      expect(selinux_support?).to eq(false)
+    end
+
+    it "should return false if this system lacks SELinux" do
+      hide_const('Selinux')
+      expect(selinux_support?).to eq(false)
     end
 
     it "should return nil if /proc/mounts does not exist" do
@@ -156,7 +159,7 @@ describe Puppet::Util::SELinux do
       end
     end
 
-    it "handles no such file or directory errors by issuing a warning" do
+    it "backward compatibly handles no such file or directory errors by issuing a warning when resource_ensure not set" do
       without_partial_double_verification do
         allow(self).to receive(:selinux_support?).and_return(true)
         allow(self).to receive(:selinux_label_support?).and_return(true)
@@ -167,6 +170,51 @@ describe Puppet::Util::SELinux do
       end
     end
 
+    it "should determine mode based on resource ensure when set to file" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 32768).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :present)).to be_nil
+        expect(get_selinux_default_context("/root/chuj", :file)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to dir" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 16384).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :directory)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to link" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 40960).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", :link)).to be_nil
+      end
+    end
+
+    it "should determine mode based on resource ensure when set to unknown" do
+      without_partial_double_verification do
+        allow(self).to receive(:selinux_support?).and_return(true)
+        allow(self).to receive(:selinux_label_support?).and_return(true)
+        allow(Selinux).to receive(:matchpathcon).with("/root/chuj", 0).and_return(-1)
+        allow(self).to receive(:file_lstat).with("/root/chuj").and_raise(Errno::ENOENT, "/root/chuj")
+
+        expect(get_selinux_default_context("/root/chuj", "unknown")).to be_nil
+      end
+    end
+
     it "should return nil if matchpathcon returns failure" do
       without_partial_double_verification do
         expect(self).to receive(:selinux_support?).and_return(true)
@@ -326,21 +374,44 @@ describe Puppet::Util::SELinux do
     end
 
     it "should return nil if no default context exists" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return(nil)
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return(nil)
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should do nothing and return nil if the current context matches the default context" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("user_u:role_r:type_t")
       expect(set_selinux_default_context("/foo")).to be_nil
     end
 
     it "should set and return the default context if current and default do not match" do
-      expect(self).to receive(:get_selinux_default_context).with("/foo").and_return("user_u:role_r:type_t")
+      expect(self).to receive(:get_selinux_default_context).with("/foo", nil).and_return("user_u:role_r:type_t")
       expect(self).to receive(:get_selinux_current_context).with("/foo").and_return("olduser_u:role_r:type_t")
       expect(self).to receive(:set_selinux_context).with("/foo", "user_u:role_r:type_t").and_return(true)
       expect(set_selinux_default_context("/foo")).to eq("user_u:role_r:type_t")
     end
   end
+
+  describe "get_create_mode" do
+    it "should return 0 if the resource is absent" do
+      expect(get_create_mode(:absent)).to eq(0)
+    end
+
+    it "should return mode with file type set to S_IFREG when resource is file" do
+      expect(get_create_mode(:present)).to eq(32768)
+      expect(get_create_mode(:file)).to eq(32768)
+    end
+
+    it "should return mode with file type set to S_IFDIR when resource is dir" do
+      expect(get_create_mode(:directory)).to eq(16384)
+    end
+
+    it "should return mode with file type set to S_IFLNK when resource is link" do
+      expect(get_create_mode(:link)).to eq(40960)
+    end
+
+    it "should return 0 for everything else" do
+      expect(get_create_mode("unknown")).to eq(0)
+    end
+  end
 end

data/spec/unit/util/windows/sid_spec.rb

@@ -131,33 +131,74 @@ describe "Puppet::Util::Windows::SID", :if => Puppet::Util::Platform.windows? do
       expect(subject.name_to_principal(unknown_name)).to be_nil
     end
 
+    it "should print a debug message if the account does not exist" do
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(unknown_name)
+    end
+
     it "should return a Puppet::Util::Windows::SID::Principal instance for any valid sid" do
       expect(subject.name_to_principal(sid)).to be_an_instance_of(Puppet::Util::Windows::SID::Principal)
     end
 
+    it "should not print debug messages for valid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(sid)
+    end
+
+    it "should print a debug message for invalid sid" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('S-1-5-21-INVALID-SID')
+    end
+
     it "should accept unqualified account name" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM').sid).to eq(sid)
     end
 
+    it "should not print debug messages for unqualified account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('SYSTEM')
+    end
+
     it "should be case-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal('system'))
     end
 
+    it "should not print debug messages for wrongly cased account name" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('system')
+    end
+
     it "should be leading and trailing whitespace-insensitive" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really Syst\u00E8me
       expect(subject.name_to_principal('SYSTEM')).to eq(subject.name_to_principal(' SYSTEM '))
     end
 
+    it "should not print debug messages for account name with leading and trailing whitespace" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal(' SYSTEM ')
+    end
+
     it "should accept domain qualified account names" do
       # NOTE: lookup by name works in localized environments only for a few instances
       # this works in French Windows, even though the account is really AUTORITE NT\\Syst\u00E8me
       expect(subject.name_to_principal('NT AUTHORITY\SYSTEM').sid).to eq(sid)
     end
+
+    it "should not print debug messages for domain qualified account names" do
+      expect(Puppet).not_to receive(:debug).with(/Could not retrieve raw SID bytes from/)
+      expect(Puppet).not_to receive(:debug).with(/No mapping between account names and security IDs was done/)
+      subject.name_to_principal('NT AUTHORITY\SYSTEM')
+    end
   end
 
   context "#ads_to_principal" do

data/tasks/generate_cert_fixtures.rake

@@ -40,6 +40,7 @@ task(:gen_cert_fixtures) do
   # 127.0.0.1.pem                     |   +- /CN=127.0.0.1 (with dns alt names)
   # tampered-cert.pem                 |   +- /CN=signed (with different public key)
   # ec.pem                            |   +- /CN=ec (with EC private key)
+  # oid.pem                           |   +- /CN=oid (with custom oid)
   #                                   |
   #                                   + /CN=Test CA Agent Subauthority
   #                                   |  |
@@ -49,7 +50,7 @@ task(:gen_cert_fixtures) do
   #
   # bad-basic-constraints.pem        /CN=Test CA (bad isCA constraint)
   #
-  # unknown-ca.pemm                  /CN=Unknown CA
+  # unknown-ca.pem                   /CN=Unknown CA
   #                                   |
   # unknown-127.0.0.1.pem             +- /CN=127.0.0.1
   #
@@ -103,6 +104,14 @@ task(:gen_cert_fixtures) do
   save(dir, '127.0.0.1.pem', signed[:cert])
   save(dir, '127.0.0.1-key.pem', signed[:private_key])
 
+  # Create an SSL cert with extensions containing custom oids
+  extensions = [
+    ['1.3.6.1.4.1.34380.1.2.1.1', OpenSSL::ASN1::UTF8String.new('somevalue'), false],
+  ]
+  oid = ca.create_cert('oid', inter[:cert], inter[:private_key], extensions: extensions)
+  save(dir, 'oid.pem', oid[:cert])
+  save(dir, 'oid-key.pem', oid[:private_key])
+
   # Create a leaf/entity key and cert for host "revoked", issued by "Test CA Subauthority"
   # and revoke the cert
   revoked = ca.create_cert('revoked', inter[:cert], inter[:private_key])
@@ -173,12 +182,12 @@ task(:gen_cert_fixtures) do
 
   # Create a request, but replace its public key after it's signed
   tampered_csr = ca.create_request('signed')[:csr]
-  tampered_csr.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_csr.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-csr.pem', tampered_csr)
 
   # Create a cert issued from the real intermediate CA, but replace its
   # public key
   tampered_cert = ca.create_cert('signed', inter[:cert], inter[:private_key])[:cert]
-  tampered_cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  tampered_cert.public_key = OpenSSL::PKey::RSA.new(2048).public_key
   save(dir, 'tampered-cert.pem', tampered_cert)
 end

data/tasks/parallel.rake

@@ -5,9 +5,9 @@ require 'thread'
 begin
   require 'rspec'
   require 'rspec/core/formatters/helpers'
-  require 'facter'
+  require 'etc'
 rescue LoadError
-  # Don't define the task if we don't have rspec or facter present
+  # Don't define the task if we don't have rspec present
 else
   module Parallel
     module RSpec
@@ -401,7 +401,7 @@ else
       # Default group size in rspec examples
       DEFAULT_GROUP_SIZE = 1000
 
-      process_count = [(args[:process_count] || Facter.value("processorcount")).to_i, 1].max
+      process_count = [(args[:process_count] || Etc.nprocessors).to_i, 1].max
       group_size = [(args[:group_size] || DEFAULT_GROUP_SIZE).to_i, 1].max
 
       abort unless Parallel::RSpec::Parallelizer.new(process_count, group_size, color_output?, args.extras).run